[commons-beanutils] branch master updated: (update) put 1.9.4 docs into 2.x master

[ch...@apache.org]

This is an automated email from the ASF dual-hosted git repository.

chtompki pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-beanutils.git


The following commit(s) were added to refs/heads/master by this push:
     new 25381c1  (update) put 1.9.4 docs into 2.x master
25381c1 is described below

commit 25381c1370dba6a91401a4e4891de1e46a902a55
Author: Rob Tompkins <ch...@gmail.com>
AuthorDate: Wed Aug 14 22:17:54 2019 -0400

    (update) put 1.9.4 docs into 2.x master
---
 src/changes/changes.xml | 14 ++++++++++++++
 src/site/xdoc/index.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 58 insertions(+)

diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 14676d6..d5fb5b7 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -65,6 +65,20 @@
       </action>
     </release>
 
+    <release version="1.9.4" date="2019-08-13" description="The primary reason for this release is a bugfix for
+CVE-2014-0114. More specifically, our goal with BEANUTILS-520
+is to set the default behaviour of the BeanUtilsBean
+to not allow class level access. The goal in doing this now
+is to bring 1.9.X into alignment with the same behaviour
+of the 2.X version line in regards to security.
+If one would like to opt out of the default behaviour, one could follow the
+example set out in the test class available in
+src/test/java/org/apache/commons/beanutils/bugs/Jira520TestCase.java.">
+      <action issue="BEANUTILS-520" dev="chtompki" type="fix" due-to="Melloware">
+        BeanUtils mitigation of CVE-2014-0114. (CVE-2019-10086 for commons-beanutils).
+      </action>
+    </release>
+
     <release version="1.9.3" date="2016-09-21" description="Bug fix release, now builds with Java 8">
       <action issue="BEANUTILS-433" dev="ggregory" type="update" due-to="Benedikt Ritter, Gary Gregory">
         Update dependency from JUnit 3.8.1 to 4.12.
diff --git a/src/site/xdoc/index.xml b/src/site/xdoc/index.xml
index 7293b82..c5a77b9 100644
--- a/src/site/xdoc/index.xml
+++ b/src/site/xdoc/index.xml
@@ -115,6 +115,50 @@ Bean Collections has an additional dependency on
   </ul>
 </subsection>
 <subsection name="1.9.x releases">
+    <p>
+    The latest BeanUtils release is available to download
+    <a href="http://commons.apache.org/beanutils/download_beanutils.cgi">here</a>.<br/>
+    <em><strong>1.9.4</strong></em><br/><br/>
+    <ul>
+      <li><a href="http://commons.apache.org/beanutils/javadocs/v1.9.4/RELEASE-NOTES.txt">Release Notes</a></li>
+      <li><a href="http://commons.apache.org/beanutils/javadocs/v1.9.4/apidocs/index.html">JavaDoc</a></li>
+    </ul>
+    <strong>CVE-2019-10086.</strong> Apache Commons Beanutils does not suppresses
+    the class property in bean introspection by default.<br/><br/>
+    <strong>Severity.</strong> Medium<br/><br/>
+    <strong>Vendor.</strong> The Apache Software Foundation<br/><br/>
+    <strong>Versions Affected.</strong> All versions commons-beanutils-1.9.3 and before.<br/><br/>
+    <strong>Description.</strong> In version 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for
+    an attacker to access the classloader via the class property available on all Java objects. We, however were not
+    using this by default characteristic of the PropertyUtilsBean.<br/><br/>
+    <strong>Mitigation.</strong> Upgrade to commons-beanutils-1.9.4<br/><br/>
+    <strong>Credit.</strong> This was discovered by Melloware (https://melloware.com/).<br/><br/>
+    <strong>Example.</strong>
+    <source>/**
+* Example usage after 1.9.4
+*/
+public void testSuppressClassPropertyByDefault() throws Exception {
+  final BeanUtilsBean bub = new BeanUtilsBean();
+  final AlphaBean bean = new AlphaBean();
+  try {
+    bub.getProperty(bean, "class");
+    fail("Could access class property!");
+  } catch (final NoSuchMethodException ex) {
+    // ok
+  }
+}
+
+/**
+* Example usage to restore 1.9.3 behaviour
+*/
+public void testAllowAccessToClassProperty() throws Exception {
+  final BeanUtilsBean bub = new BeanUtilsBean();
+  bub.getPropertyUtils().removeBeanIntrospector(SuppressPropertiesBeanIntrospector.SUPPRESS_CLASS);
+  final AlphaBean bean = new AlphaBean();
+  String result = bub.getProperty(bean, "class");
+  assertEquals("Class property should have been accessed", "class org.apache.commons.beanutils2.AlphaBean", result);
+}</source>
+  </p>
   <p>
     BeanUtils <strong>1.9.x</strong> releases are binary compatible (with a minor exception
     described in the release notes) with version 1.8.3 and require a minimum of